Consent is provided by the data subject as a means of granting the organisation permission to carry out a specific processing activity. It provides the greatest level of control to the data subject, but is arguably the most difficult of the lawful basis to manage operationally.
The organisation must be able to demonstrate that it has obtained the consent of the data subject, therefore records must be maintained for when consent is both obtained and withdrawn.
For consent to be valid in must be specific and informed, so the data subject must know what they are consenting to and the consequences of their consent. It should not be vaguely worded to allow extended processing.
Consent must be freely given, so consent should be avoided in situations where the data controller has a level of power over the data subject (i.e. in employment situations).
Consent must be evidenced through an affirmative action, for example asking a data subject to ‘untick a box’ to avoid marketing would be unlawful as this requires an affirmative action to avoid the consent.
Consent should be as easy to withdraw as it was to be given in the first place.